View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0003899Kali LinuxQueued Tool Additionpublic2017-03-01 19:152023-10-25 14:21
Reporterkum0nga Assigned Todaniruiz  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionwon't fix 
Summary0003899: Chankro - tool to bypass disable_functions & open_basedir in post-explotation stage
Description

Chankro is a tool written in python that generate a PHP capable of run a custom binary (like a meterpreter) or a bash script (p.e. reverse shell) bypassing disable_functions & open_basedir. The bypass is made by the explotation of this bug (https://bugs.php.net/bug.php?id=46741).

If a unix based server has enabled mail() and putenv() is possible to set LD_PRELOAD to a evil .so that will hook the binary called when PHP executes mail(). This way we can hijack a function of that binary and execute our code without restrictions.

Chankro is powerfull tool focused on post-explotation stage during a pentest.

Can be downloaded from here: https://github.com/TarlogicSecurity/Chankro

The usage is pretty simple (select: arch, input file, output file, and the path where the .so will be dropped):

python chankro.py --arch 64 --input rev.sh --output chan.php --path /var/www/html

I hope this tool helps you with your next pentest.

Best regards.

Attached Files
Chankro-master.zip (19,367 bytes)

Activities

g0tmi1k

g0tmi1k

2018-01-29 14:45

administrator   ~0008365

To help speed up the process of evaluating the tool, please make sure to include the following information (the more information you include, the more beneficial it will for us):

  • [Name] - The name of the tool
  • [Version] - What version of the tool should be added?
    --- If it uses source control (such as git), please make sure there is a release to match (e.g. git tag)
  • [Homepage] - Where can the tool be found online? Where to go to get more information?
  • [Download] - Where to go to get the tool?
  • [Author] - Who made the tool?
  • [Licence] - How is the software distributed? What conditions does it come with?
  • [Description] - What is the tool about? What does it do?
  • [Dependencies] - What is needed for the tool to work?
  • [Similar tools] - What other tools are out there?
  • [How to install] - How do you compile it?
  • [How to use] - What are some basic commands/functions to demonstrate it?
TheXC3LL

TheXC3LL

2018-01-31 08:33

reporter   ~0008588

Name: Chankro

Version: v0.2

Download: https://github.com/TarlogicSecurity/Chankro

Author: Juan Manuel Fernandez (@TheXC3LL)

License: GNU General Public License v3.0

Description:
Chankro is a tool written in python that generate a PHP capable of run a custom binary (like a meterpreter) or a bash script (p.e. reverse shell) bypassing disable_functions & open_basedir. The bypass is made by the explotation of this bug (https://bugs.php.net/bug.php?id=46741). PHP refuses to fix the bug.

Dependencies: python modules argparse and base64

Similar tools: There is no any tool that automatizes the explotation of this bug.

How to install: download repo from Github & execute it

How to use:

python chankro.py --arch 64 --input rev.sh --output chan.php --path /var/www/html

-> Arch: 64 o 32bits
-> Input: file that will be executed without restrictions
-> Output: PHP generated that need to be uploaded to server
-> Path: Absolute path where the PHP will be uploaded
g0tmi1k

g0tmi1k

2018-01-31 09:21

administrator   ~0008589

There isn't a git tag release on https://github.com/TarlogicSecurity/Chankro/releases
Please could you tag & release v0.2
TheXC3LL

TheXC3LL

2018-01-31 16:04

reporter   ~0008592

Done!

https://github.com/TarlogicSecurity/Chankro/releases/tag/v0.2
TheXC3LL

TheXC3LL

2018-05-02 08:04

reporter   ~0009085

Updated to version v0.3. Now no need to hook a function, just uses attribute((constructor)) to execute the payload when is pre-loaded.

Download: https://github.com/TarlogicSecurity/Chankro/releases/tag/v0.3
g0tmi1k

g0tmi1k

2020-03-25 13:35

administrator   ~0012542

@kali-team, please could this be packaged up.
@author, If you want to help the packaging process, you can check the documentation here ~ https://www.kali.org/docs/development/public-packaging
daniruiz

daniruiz

2023-10-25 14:21

manager   ~0018557

I'm closing this as the tool is based on python2, which is now deprecated and unsupported in Kali

Issue History

Date Modified Username Field Change
2017-03-01 19:15 kum0nga New Issue
2017-03-01 19:15 kum0nga File Added: Chankro-master.zip
2018-01-29 14:45 g0tmi1k Note Added: 0008365
2018-01-31 08:33 TheXC3LL Note Added: 0008588
2018-01-31 09:21 g0tmi1k Note Added: 0008589
2018-01-31 16:04 TheXC3LL Note Added: 0008592
2018-05-02 08:04 TheXC3LL Note Added: 0009085
2019-12-09 13:30 g0tmi1k Severity minor => feature
2020-03-25 13:35 g0tmi1k Note Added: 0012542
2020-03-25 13:35 g0tmi1k Status new => acknowledged
2020-03-25 13:35 g0tmi1k Category New Tool Requests => Queued Tool Addition
2020-06-17 14:58 g0tmi1k Severity feature => minor
2020-12-01 11:05 g0tmi1k Summary Chankro: tool to bypass disable_functions & open_basedir in post-explotation stage => Chankro - tool to bypass disable_functions & open_basedir in post-explotation stage
2023-10-25 14:21 daniruiz Note Added: 0018557
2023-10-25 14:21 daniruiz Assigned To => daniruiz
2023-10-25 14:21 daniruiz Status acknowledged => closed
2023-10-25 14:21 daniruiz Resolution open => won't fix